Total
1029 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27555 | 1 Basetech | 2 Ge-131 Bt-1837836, Ge-131 Bt-1837836 Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Use of default credentials for the telnet server in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2021-3141 | 1 Unisys | 1 Stealth | 2024-02-04 | 2.1 LOW | 7.8 HIGH |
| In Unisys Stealth (core) before 6.0.025.0, the Keycloak password is stored in a recoverable format that might be accessible by a local attacker, who could gain access to the Management Server and change the Stealth configuration. | |||||
| CVE-2020-2291 | 1 Jenkins | 1 Couchdb-statistics | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2020-26079 | 1 Cisco | 1 Iot Field Network Director | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device. The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device. | |||||
| CVE-2021-0220 | 1 Juniper | 1 Junos Space | 2024-02-04 | 3.5 LOW | 6.8 MEDIUM |
| The Junos Space Network Management Platform has been found to store shared secrets in a recoverable format that can be exposed through the UI. An attacker who is able to execute arbitrary code in the victim browser (for example via XSS) or access cached contents may be able to obtain a copy of credentials managed by Junos Space. The impact of a successful attack includes, but is not limited to, obtaining access to other servers connected to the Junos Space Management Platform. This issue affects Juniper Networks Junos Space versions prior to 20.3R1. | |||||
| CVE-2021-1392 | 1 Cisco | 2 Ios, Ios Xe | 2024-02-04 | 2.1 LOW | 7.8 HIGH |
| A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user. This vulnerability exists because incorrect permissions are associated with the show cip security CLI command. An attacker could exploit this vulnerability by issuing the command to retrieve the password for CIP on an affected device. A successful exploit could allow the attacker to reconfigure the device. | |||||
| CVE-2020-15646 | 1 Mozilla | 1 Thunderbird | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. This vulnerability affects Thunderbird < 68.10.0. | |||||
| CVE-2019-14477 | 1 Adremsoft | 1 Netcrunch | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted. | |||||
| CVE-2020-3483 | 1 Cisco | 1 Duo Network Gateway | 2024-02-04 | 3.3 LOW | 6.3 MEDIUM |
| Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key information being written out in plain-text to local files on the DNG host. Any private keys logged in this way could be viewed by those with access to the DNG host operating system without any need for reversing encrypted values or similar techniques. An attacker that gained access to the DNG logs and with the ability to intercept and manipulate network traffic between a user and the DNG, could decrypt and manipulate SSL/TLS connections to the DNG and to the protected applications behind it. Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7 are affected. | |||||
| CVE-2020-28390 | 1 Siemens | 1 Opcenter Execution Core | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability has been identified in Opcenter Execution Core (V8.2), Opcenter Execution Core (V8.3). The application contains an information leakage vulnerability in the handling of web client sessions. A local attacker who has access to the Web Client Session Storage could disclose the passwords of currently logged-in users. | |||||
| CVE-2021-1731 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| PFX Encryption Security Feature Bypass Vulnerability | |||||
| CVE-2020-4568 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, and 4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184157. | |||||
| CVE-2020-29392 | 1 Lock Password Manager Safe App Project | 1 Lock Password Manager Safe App | 2024-02-04 | 2.1 LOW | 4.6 MEDIUM |
| The Estil Hill Lock Password Manager Safe app 2.3 for iOS has a *#06#* backdoor password. An attacker with physical access can unlock the password manager without knowing the master password set by the user. | |||||
| CVE-2020-13528 | 1 Lantronix | 2 Xport Edge, Xport Edge Firmware | 2024-02-04 | 2.6 LOW | 5.3 MEDIUM |
| An information disclosure vulnerability exists in the Web Manager and telnet CLI functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause information disclosure. An attacker can sniff the network to trigger this vulnerability. | |||||
| CVE-2020-8259 | 1 Nextcloud | 1 Nextcloud | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | |||||
| CVE-2020-26903 | 1 Netgear | 14 Cbr40, Cbr40 Firmware, Rbk752 and 11 more | 2024-02-04 | 3.3 LOW | 8.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. | |||||
| CVE-2020-12333 | 1 Intel | 1 Quickassist Technology | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
| Insufficiently protected credentials in the Intel(R) QAT for Linux before version 1.7.l.4.10.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-28330 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device. | |||||
| CVE-2020-15157 | 3 Canonical, Debian, Linuxfoundation | 3 Ubuntu Linux, Debian Linux, Containerd | 2024-02-04 | 2.6 LOW | 6.1 MEDIUM |
| In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. | |||||
| CVE-2019-16211 | 1 Broadcom | 1 Brocade Sannav | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| Brocade SANnav versions before v2.1.0, contain a Plaintext Password Storage vulnerability. | |||||